Global spending ramped up to deal with EU regulation

The jurisdiction extension of data privacy through the General Data Protection Regulation (GDPR) means that the new regulation will not only effect major changes in Europe but will require dramatic investment by data processors globally.

The Financial Times (FT) reports that the Fortune 500 will spend a combined $7.8 billion to get in line with the directions set out the General Data Protection Regulation (GDPR). The figure was attained from data released within IAPP-EY Annual Privacy Governance Report 2017, which identifies the significant changes taking place globally in response to the impending regulation.

Three quarters of the respondents to a survey issued as part of the third annual study of governance in organisations, surveying modern privacy operations, were from outside of the EU. However, the fact that 95 per cent of respondents recognised that the GDPR applies to their organisation goes some way to highlight the Regulation’s global reach.

Of those companies based in the EU, 75 per cent outlined that GDPR compliance is driving their privacy programme and this is the same for half of the US companies surveyed.

The report finds that on average, each organisation expects to hire an additional two employees solely to help with GDPR compliance and spend $5 million on adaption of products and services.

While the GDPR will not take effect until 2018, 2017 has already seen a dramatic increase in adjustments to ensure compliance. Some notable changes include investments in training, with 13 per cent more companies investing than this time last year. Some organisations have also taken the opportunity to embed a Data Protection Officer earlier in the process than is technically required. The number of DPO’s appointed has jumped from 34 per cent in 2016 to 48 per cent in in 2017. The appointment of multiple DPOs has increased 7 per cent over the year.

However, probably the largest shift in adapting for the GDPR has been through technology and the role it is now playing in privacy management. Investing in technology has now become the second most popular tool in preparation from the GDPR, with 55 per cent of respondents planning to make such investments compared to 29 per cent last year.

Interestingly, 60 per cent of firms believe they will only be partially compliant with the GDPR by May 2018, that is despite a hike in new spending. Privacy budgets alone are estimated to rise from $1.7 million to $2.1 million in 2017. Even with the increase, a total of 67 per cent of respondents said that their budgets were either “somewhat less than sufficient” or “much less than sufficient” to equip them fully for the Regulation implementation.

The report concludes: “Even though the EU’s GDPR has yet to take effect, organisations the world over are spending money on hiring and promoting privacy staff, training employees on privacy, purchasing technology to help with the GDPR compliance, and pushing privacy awareness into every corner of the firm.

“Privacy issues are now board-level concerns – even apart from data breach issues – as organisations are more likely than ever before to see privacy as risk management, and business opportunity.”

Technology companies

Technology firms are expected to bear the brunt of system changes introduced by the GDPR. In the EU, technology companies have outlined it as one of the most expensive pieces of regulation in the sector’s history.

Facebook Ireland is a prime example of the level of change that will be introduced, estimating that their data protection team will be growing by 250 per cent over the next year.

Facebook were one of three companies within an FT survey of 20 of the largest social media, software, financial technology and internet companies with EU operations which stated that the GDPR preparation would cost several million dollars.

While others outlined their need to hire extra staff and consultants to implement changes so that customers could delete information, or export it in a format compatible with rival services.

Cloud service providers, who host information on behalf of other companies, are being particularly challenged by the increased regulation empowering the consumer. The right to be forgotten and to withdraw consent will shift their role from data processors to data controllers, and with that brings greater levels of accountability.